Bypass WAF: Burp Plugin to Bypass Some WAF Devices

I wrote a blog post on the technique used by this plugin here a while back. Many WAF devices can be tricked into believing a request is from itself, and therefore trusted, if specific headers are present. The basics of the bypass approach can be found in an HP blog post here.

I have been implementing Match/Replace rules in Burp to auto-add these headers to requests sent to sites protected by WAFs for a while but decided to create a plugin that could be used to add the headers to active scans, repeater requests, intruder requests, etc. I came across this article from Fishnet Security that really got the ball rolling.

First, I implemented the plugin in Python as that was quick and easy and I actually needed it pretty quick on a recent project. Then I did some quick research on how to implement it as a Java extension to enhance efficiency.

To use this plugin to add the necessary headers, first you need to either download the Python version of the plugin, the Java version of the plugin, or the Java source and compile yourself. Once you have the plugin, start up Burp and navigate to “Extender->Extensions” and click the “Add” button. Choose an extension type of “Java”, if using the Java Plugin, or “Python”, if using the Python version, and then navigate to the extension path. The configuration should look something like:

The plugin should now be loaded and display something like:

Now you need to navigate to “Options->Sessions” and then click on the “Add” button for the “Session Handling Rules” configuration section as shown below:

Give the rule a name and then click the “Add” button in the “Rule Actions” section, and choose “Invoke a Burp extension” as shown below:

You should be able to select “Bypass WAF” in the drop down box as seen below:

Click “Ok” and then select the “Scope” tab. Enable all the tools that you want to be in scope for the extension and then set the scope. I like to enable scope for all tools and limit scope on requests to those that have been added to the suite scope as seen in below: